Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
0
Helpful
1
Replies

IKEv2 VTI to Azure

Ben F
Level 1
Level 1

‎08-14-2018 10:41 AM

I have seen several posts regarding this topic, but nothing seems to be fully inclusive. This post is also not fully inclusive, but hopefully the discussion will help iron out some details. As of version 9.8.1 (I think) the ASA has support for IKEv2 route-based VPN with the virtual tunnel interface (VTI). You still configure your phase 1 & phase 2, but you no longer need the crypto map on your outside interface. You also don't need NAT exclusions. You can still use a tunnel-group to set the PSK, but from what I can tell, a group-policy is not required (but is optional). Most of the configuration seems pretty simple as far as getting the ASA ready. I do have two questions though and they relate to a VPN to Azure. (I've only been exposed to Azure in the past few weeks and in limited context) What IP should be used for the VTI? If this was between ASAs I believe that both VTI interfaces should be on the same subnet. Since this is with Azure...I have no idea. Second, what IP should be used for a static route on the ASA that points to the Azure environment? My tunnel is up and I just picked a random, private IP. I put in a static route to our Azure public IP. This is how the configuration looks.

 

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 2
 prf sha256
 lifetime seconds 28800
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal AZURE_PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-256
!
crypto ipsec profile AZURE_PROFILE
 set ikev2 ipsec-proposal AZURE_PROPOSAL
!
interface tunnel 1
 nameif AZURE_VPN
 description "TUNNEL TO AZURE"
 ip address 172.X.X.254 255.255.255.0
 tunnel source interface OUTSIDE
 tunnel destination <AZURE_PUBLIC_IP>
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AZURE_PROFILE
 
route AZURE_VPN <AZURE_PRIVATE_NETWORK_ADDRESS> <AZURE_PN_MASK> <AZURE_PUBLIC_IP>

 

access-list AZURE_ALLOWED extended permit ip object AZURE_LAN object LOCAL_LAN
access-group AZURE_ALLOWED in interface AZURE_VPN

3 people had this problem
Labels:
0 Helpful
1 Reply 1

c1sc0admin
Level 1
Level 1

‎12-14-2018 06:53 AM

What IP should be used for the VTI? If this was between ASAs I believe that both VTI interfaces should be on the same subnet.

This can be any private IP address, and yes, should be the same subnet on both ends. Just don't use one that you are already using internally.

 

Second, what IP should be used for a static route on the ASA that points to the Azure environment?

The route you have is almost correct, except that you want your destination to be the IP address of the remote VTI interface. For example:

AZURE_LAN subnet 192.168.0.0 255.255.255.0

AZURE_REMOTE VTI Interface 172.X.X.253

route AZURE_VPN 192.168.0.0 255.255.255.0 172.X.X.253

 

0 Helpful
Customers Also Viewed These Support Documents